Received: by 10.192.165.148 with SMTP id m20csp116293imm;
        Fri, 4 May 2018 07:33:46 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZrAsr17VzJKM5QUqbIb3AUjfRt+Db2oacEwUG8KW79LGBGVt0799bp1OZtcGx59iABSWv+N
X-Received: by 10.98.65.132 with SMTP id g4mr27314810pfd.51.1525444426818;
        Fri, 04 May 2018 07:33:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1525444426; cv=none;
        d=google.com; s=arc-20160816;
        b=nkNwbgwxjc8Kn4XzvEJ5lnIp9DJXZIoNwa8Gh3RQvx+xWw6DExMAZi8xRMF7ZnwXI8
         aIqQUsFaYTupbZgdTJD3F+5+lzLVow33Upvi3GDSkz4jd3Ex+CrvuGY+uPBY0I78lOV7
         cLIzoUaA3IxRMQFdk0bHQyBihnDIA/gFoth62LNRRYrn5x9y9vk6++Cw4Wah8WEXECXD
         et0hPy5RAnImGGNan8GMpBROb7s5XqoIh8+YAUOyIdbs0WpZFXKTXNNCYzcFfWes8BBy
         4B72ZvY6XhC1BdLA+U1/p9oLu/z95xFMP9FG8dnb03Afin0WN2u6kH8rM9j66y/WkKGr
         YaSg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:date:subject:cc:to:from
         :dkim-signature:arc-authentication-results;
        bh=+8BnCftpRwmjLgsvc8I840MoR3eXRTaORv3NOB7/Klk=;
        b=QlVlsXcoj1az8a7JpUGW/HuQdc3KAx6ZKRbjHBTi/Kecm2TIKglRbG6XqUXTXkVhVV
         9iS4HtnC/TOCrhGJmSPYs/SgdxrDo77LhZhqlBKBonYhoEz/ZGtP/9mcOBKPsiCXB8eA
         zvnggba463fdsFnEYHGsSfKDEJss1K7cYmPlyXpS/TNLINDLMWWvJ/pocnioThmRDLht
         6dmjGj3UgIs43vfjjh457SUf7RaSC2dshBmL7YPZzpLBhOJsRxdORXnP1KZ5DHKHQ/Wi
         LP7E/XF/A0hN39S0QDUb0ue5BfGkbqIc7pWRJ2vH7omAMEYLfwuZ8/k3A5BGBEqdtcBB
         1ylQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=KURbbKjn;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id x14-v6si6718421pll.24.2018.05.04.07.33.32;
        Fri, 04 May 2018 07:33:46 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=KURbbKjn;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751701AbeEDO3o (ORCPT <rfc822;ereslibre@gmail.com> + 99 others);
        Fri, 4 May 2018 10:29:44 -0400
Received: from mail-wr0-f194.google.com ([209.85.128.194]:44535 "EHLO
        mail-wr0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751419AbeEDO3l (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 4 May 2018 10:29:41 -0400
Received: by mail-wr0-f194.google.com with SMTP id y15-v6so9577516wrg.11;
        Fri, 04 May 2018 07:29:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id;
        bh=+8BnCftpRwmjLgsvc8I840MoR3eXRTaORv3NOB7/Klk=;
        b=KURbbKjn4noBpxHWEkRlpl1XjdDKlf+oqdGLHukKdtSu5vDEyyk1+u8zq1vsikAAKz
         gL4Hx4FWrOe5BuU5ZuQRa72L2R/0qgO0Z8jGTB9en5pE4XYnFP+9nUTWNbbTAExfn6O2
         CxOti+yc5+bCjtws3BLwL/pi/M6DVY18frn/P9sRWhdqn5aHNUCC8aslrLDksqL3OgN8
         jHrgFargVSMdcn1X7ipVbbAmcEg/WTG1YCHw9Gb5N498ZYF3fsE93u33gARBl38sOP3Q
         2QcADD3O3MKa67g0dreWCB0yjyxz1Pnj2gCNur7ME5d10e0XxHcgrkx60FtoFpxLf5fk
         NkIQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id;
        bh=+8BnCftpRwmjLgsvc8I840MoR3eXRTaORv3NOB7/Klk=;
        b=Rh0vx3v7tcBRM94y/xsR0H24RKBi/UtEGC5RSls+ZFeEtD6hLuGnsOxCW/xAUNuzCf
         GjNv3L6uJMGn0ofZ/iL5zb/k4YNK8rvpitYf38RkpE2YuyFcMI6Yv+EZiL1iaDzwihlc
         rWMyYcMMiRlHE85N3X4M9V7WQ2tk3bZ2H+x7hqJ6rRWNGU3EMRBrFDYk0WD/0sT97Fjf
         Ls+vrIMMcjDfnVvP8bwBT8UjC2w2JC7gpAhpDm5lSL/vMYO0keI58LudQ0nQy28xNhIZ
         KM41bM6ZdCpo5nbUoSIs4eSXIys7yz5Qnnk6xNG+21QzlswuFh2RynjvKZ/z1HCqV3XJ
         iqCg==
X-Gm-Message-State: ALQs6tCZc0RlrI6EsBo0jPJTXMx97btHg4fNaPfewDyhcMzrLY6aQC1q
        uxByPKt2t2I8CaSxkm30O7GFxQ==
X-Received: by 2002:adf:db4f:: with SMTP id f15-v6mr21518495wrj.212.1525444179698;
        Fri, 04 May 2018 07:29:39 -0700 (PDT)
Received: from david-x1.fritz.box (p200300C2A3D634001758913C97055056.dip0.t-ipconnect.de. [2003:c2:a3d6:3400:1758:913c:9705:5056])
        by smtp.gmail.com with ESMTPSA id h8-v6sm1474907wmc.16.2018.05.04.07.29.38
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 04 May 2018 07:29:38 -0700 (PDT)
From:   David Herrmann <dh.herrmann@gmail.com>
To:     linux-kernel@vger.kernel.org
Cc:     James Morris <jmorris@namei.org>, Paul Moore <paul@paul-moore.com>,
        teg@jklm.no, Stephen Smalley <sds@tycho.nsa.gov>,
        selinux@tycho.nsa.gov, linux-security-module@vger.kernel.org,
        Eric Paris <eparis@parisplace.org>, serge@hallyn.com,
        Casey Schaufler <casey@schaufler-ca.com>, davem@davemloft.net,
        netdev@vger.kernel.org, David Herrmann <dh.herrmann@gmail.com>
Subject: [PATCH v2 0/4] Introduce LSM-hook for socketpair(2)
Date:   Fri,  4 May 2018 16:28:18 +0200
Message-Id: <20180504142822.15233-1-dh.herrmann@gmail.com>
X-Mailer: git-send-email 2.17.0
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi

This is v2 of the socketpair(2) LSM hook introduction. Changes
since v1 are:

  - Added ACKs from previous series.

  - Moved the hook into generic socketpair(2) handling. The hook is now
    called security_socket_socketpair(), just like the other hooks on
    the socket layer.
    There is no AF_UNIX specific code, anymore.

  - Added SMACK support.

  - Still *NO* AppArmor support, since upstream AppArmor lacks
    SO_PEERSEC support and requires downstream patches (in particular,
    the apparmor_unix_stream_connect() function is mostly a stub and
    was never synced with Ubuntu downstream modifications).

Old cover letter follows (only trivial changes).

Thanks
David


This series adds a new LSM hook for the socketpair(2) syscall. The idea
is to allow SO_PEERSEC to be called on AF_UNIX sockets created via
socketpair(2), and return the same information as if you emulated
socketpair(2) via a temporary listener socket. Right now SO_PEERSEC
will return the unlabeled credentials for a socketpair, rather than the
actual credentials of the creating process.

A simple call to:

    socketpair(AF_UNIX, SOCK_STREAM, 0, out);

can be emulated via a temporary listener socket bound to a unique,
random name in the abstract namespace. By connecting to this listener
socket, accept(2) will return the second part of the pair. If
SO_PEERSEC is queried on these, the correct credentials of the creating
process are returned. A simple comparison between the behavior of
SO_PEERSEC on socketpair(2) and an emulated socketpair is included in
the dbus-broker test-suite [1].

This patch series tries to close this gap and makes both behave the
same. A new LSM-hook is added which allows LSMs to cache the correct
peer information on newly created socket-pairs.

Apart from fixing this behavioral difference, the dbus-broker project
actually needs to query the credentials of socketpairs, and currently
must resort to racy procfs(2) queries to get the LSM credentials of its
controller socket. Several parts of the dbus-broker project allow you
to pass in a socket during execve(2), which will be used by the child
process to accept control-commands from its parent. One natural way to
create this communication channel is to use socketpair(2). However,
right now SO_PEERSEC does not return any useful information, hence, the
child-process would need other means to retrieve this information. By
avoiding socketpair(2) and using the hacky-emulated version, this is not
an issue.

There was a previous discussion on this matter [2] roughly a year ago.
Back then there was the suspicion that proper SO_PEERSEC would confuse
applications. However, we could not find any evidence backing this
suspicion. Furthermore, we now actually see the contrary. Lack of
SO_PEERSEC makes it a hassle to use socketpairs with LSM credentials.
Hence, we propose to implement full SO_PEERSEC for socketpairs.

Thanks
David

[1] https://github.com/bus1/dbus-broker/blob/master/src/util/test-peersec.c
[2] https://www.spinics.net/lists/selinux/msg22674.html

David Herrmann (3):
  security: add hook for socketpair()
  net: hook socketpair() into LSM
  selinux: provide socketpair callback

Tom Gundersen (1):
  smack: provide socketpair callback

 include/linux/lsm_hooks.h  |  7 +++++++
 include/linux/security.h   |  7 +++++++
 net/socket.c               |  7 +++++++
 security/security.c        |  6 ++++++
 security/selinux/hooks.c   | 13 +++++++++++++
 security/smack/smack_lsm.c | 22 ++++++++++++++++++++++
 6 files changed, 62 insertions(+)

-- 
2.17.0